Mailinglist Archive: opensuse-buildservice (88 mails)

< Previous Next >
Re: [opensuse-buildservice] signing issues with local OBS since yesterday
  • From: Hans-Peter Jansen <hpj@xxxxxxxxx>
  • Date: Thu, 20 Feb 2020 16:12:00 +0100
  • Message-id: <3434073.ZNHdtR03rT@xrated>
Am Montag, 3. Februar 2020, 08:43:30 CET schrieb Adrian Schröter:
On Samstag, 1. Februar 2020, 14:32:34 CET Hans-Peter Jansen wrote:

It started with stalling in kernel-default signing process since tonight

obsserver:~# l /srv/obs/events/signer/
total 20
drwxr-xr-x 2 obsrun obsrun 4096 Feb 1 10:41 ./
drwxr-xr-x 11 obsrun obsrun 4096 Jan 29 02:04 ../
prw-rw-rw- 1 obsrun obsrun 0 Feb 1 10:38 .ping|
-rw-r--r-- 1 obsrun obsrun 141 Feb 1 03:35
08fe2108a7e0cff115 -rw-r--r-- 1 obsrun obsrun 141 Feb 1 03:35
08fe2108a7e0cff115 -rw-r--r-- 1 obsrun obsrun 141 Feb 1 03:34

Even a complete rebuild of the repository doesn't change this state for
the kernel-default builds. It's the first build of kernel 5.5, as linked
from Kernel:stable/kernel-source

OBS state is idle. All services are up.

Looking into build log of one package (libdrm) shows:

getbinaries: missing packages: libpciaccess0
(worker was obsserver:2)

Accessing other build logs results in:

No live log available: connect to Connection refused

All updates for OBS Server 2.10 applied, rebooted, no change.

OBS_Server_2.10_Staging added, upgraded, rebooted, no change.

Any ideas anybody?

Check the log file of the bs_signer process. Also try to run

sign -k

for testing as obsrun user.

Since it reappeared massively this week, intervention deemed necessary.

Upgraded to OBS 2.10.1, fixed all rpmcheckconfig issues, but it affected all
rebuilt packages now.

Okay, time to get the signer up correctly. I followed:

but found a couple of notes being outdated. Here are my corrections:

one need to run "gpg2 --homedir /srv/obs/gnupg --full-generate-key",
insserv is spelled chkconfig now, or even better "systemctl enable --now"

/root/.phrases is /srv/obs/gnupg/phrases now

The section is confusing, it says:

our $sign = '/usr/bin/sign';
# Extend sign call with project name as argument "--project $NAME"

but /usr/bin/sign doesn't take such an argument:

$ sign -h
usage: sign [-v] [options]

sign [-v] -c <file> [-u user] [-h hash]: add clearsign signature
sign [-v] -d <file> [-u user] [-h hash]: create detached signature
sign [-v] -r <file> [-u user] [-h hash]: add signature block to rpm
sign [-v] -a <file> [-u user] [-h hash]: add signature block to appimage
sign [-v] -k [-u user] [-h hash]: print key id
sign [-v] -p [-u user] [-h hash]: print public key
sign [-v] -g <type> <expire> <name> <email>: generate keys
sign [-v] -x <expire> <pubkey>: extend pubkey
sign [-v] -C <pubkey>: create certificate
sign [-v] -t: test connection to signd server

The troubleshooting section tells us, that $sign_project is meant for
auxiliary sign implementations. Confused.

Now, I have $keyfile and $gpg_standard_key pointing to the exported key file,
(side by side with /srv/obs/obs-default-gpg.asc), $sign = "/usr/bin/sign" and
$sign_project = 0.

Guess what, sign -k running as obsrun is spilling a real key now, and signing
works again!

While at it, I have found a /OBS.pubkey file, is it still in use?


To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >